The US Department of Defense’s long-anticipated Cybersecurity Maturity Model Certification (CMMC) program officially entered its enforcement phase on November 10, 2025.
Introduced as an amendment to the Defense Federal Acquisition Regulation Supplement (DFARS), the CMMC program requires defense contractors and subcontractors to implement specific cybersecurity measures to protect sensitive information.
The Department of Defense, also referred to as the Department of War, can now mandate CMMC compliance as a condition for new defense industrial base (DIB) contracts.
The goal is to ensure that contractors and subcontractors can protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). FCI is information not intended for public release that is provided to or generated by a contractor. CUI is sensitive government information that is not classified but still requires protection from unauthorized disclosures.
For the past eight years, contractors have been allowed to self-attest to cybersecurity compliance, but now some organizations will also need to undergo a formal assessment by a certified third-party assessor organization (C3PAO).
Depending on the sensitivity of the information they handle, contractors must comply with one of three CMMC maturity levels.
Level 1, which covers basic safeguarding of FCI, requires an annual self-assessment and compliance with 15 requirements. Level 2, which covers broad protection of CUI, may require a self-assessment or an assessment conducted by a C3PAO to ensure compliance with 110 requirements specified in the NIST SP 800-171 cybersecurity framework.
Level 3 is for higher protection of CUI against advanced persistent threats (APTs). It requires an assessment by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) every three years, and compliance with the 110 requirements from NIST SP 800-171 and an additional 24 requirements from NIST SP 800-172 (enhanced security requirements).
November 10, 2025, marks the start of the first phase of CMMC implementation, with contractors being required to complete Level 1 and Level 2 self-assessments. In the second phase, which is set to start on November 10, 2026, contractors will be required to complete third-party assessments for Level 2 certifications for new contracts.
The third phase is scheduled for November 10, 2027, and it will introduce Level 3 requirements. The fourth and final phase is set for November 10, 2028, and involves full implementation of CMMC requirements across all applicable contracts.
While Level 1 and Level 2 include self-assessments, contractors expose themselves to significant risks if they get caught misrepresenting compliance. It’s not uncommon for defense contractors to pay millions of dollars over their cybersecurity failures. The list includes MORSE, Aerojet Rocketdyne, and Raytheon/Nightwing.
“This is a GDPR-level event,” said Shrav Mehta, CEO of Secureframe, a company that offers CMMC compliance services and which published guidance this week.
“Many defense contractors are still using personal emails or commercial solutions that don’t meet the bar for storing classified information — often manufacturing companies without IT departments,” Mehta explained. “That’s where the real vulnerability is: not with the big prime contractors, but with the subcontractors who don’t have the resources or expertise to secure this data alone.”
A report published in late September by DOD cybersecurity compliance services provider CyberSheath showed that only 1% of defense contractors had felt fully prepared for CMMC, a decrease from 4% in 2024.
“Eighty thousand defense contractors need Level 2 certification, yet only 270 of these organizations currently hold final CMMC certificates,” Emil Sayegh, CEO of CyberSheath, said at the time. “The math is simple and alarming. Contractors that aren’t prepared will be locked out of billions in DOD contracts while their competitors who invested in real compliance and cybersecurity capture the business.”
In response to the CMMC enforcement, cybersecurity companies have launched new products and updated existing platforms to aid companies with becoming compliant. CMMC compliance offerings were announced in recent days by AWS and Wiz (partnership), Huntress, Strike Graph, USX Cyber, and Sensiba.
Related: Former US Defense Contractor Executive Admits to Selling Exploits to Russia
Related: SafeHill Emerges from Stealth With $2.6 Million Pre-Seed Funding
Related: Vodafone Germany Fined $51 Million Over Privacy, Security Failures
